US-EU DATA TRANSFERS: THE FRAGILE FRAMEWORK OF THE PRIVACY SHIELD?

The new framework for transferring personal data between the EU and the US, the Privacy Shield, was finalised in July 2016. At its inception, the Privacy Shield had holes, and since the issuance of Executive Order 13768 on 25 January 2017, concerns about the viability of the Privacy Shield have grown. There are a wide range of opinions on the impact of 13768, but one thing is clear: the only way to ‘future-proof’ your data protection programme is to understand the framework upon which the Privacy Shield is built.

Why do we need the Privacy Shield?

Under the EU Data Directive (the Directive) and the General Data Protection Regulation (GDPR), which enters into force in May 2018, personal data cannot be transferred to non-European Union/European Economic Area countries that do not ensure adequate levels of protection. “Personal Data” for the purposes of the Directive and the GDPR means any information relating to an identified or identifiable natural person. Common examples include email addresses, telephone numbers, addresses and even IP addresses. The European Commission (EC) has made determinations that certain countries do have “adequate protections” but the US is not one of them. Thus, additional measures must be taken to ensure that adequate protections are in place prior to transferring data from the EU to the US.